Tuesday, October 19, 2010

Adding XSSF to Metasploit Framework

The XSS Framework (XSSF) is able to manage victims of a generic XSS attack and hold an already existing connection in order to allow future attacks.After injection of the generic attack (resource "loop" generated by XSSF), each victim will ask the attack server (every "x" seconds) if new commands are available:

The advantage of having the project built within the Metasploit Framework is the ability to run exploits (on browsers for example) already included in MSF. In addition, new exploits can be executed on old victims already linked to the attack server.Unlike the existing projects (BeEF, XeeK, XSSShell/XSSTunnel), XSSF gives the possibility to simply add and run attacks (adding modules), and execute already existing MSF exploit without installing third-party solutions (server, database ... [which are already provided by Ruby/MSF]). In addition, the ability to create XSS tunnels with targeted victims is a real advantage knowing that only XSSShell/XSSTunnel manages it but is not portable (ASP.NET).